From e58740472e8d9bc9d14704582adc263cd9771a2c Mon Sep 17 00:00:00 2001 From: Tasia Iso Date: Thu, 3 Oct 2024 15:10:04 +0200 Subject: [PATCH] close port 22, add grafana, prometheus, node-exporter --- hosts/vulpecula/configuration.nix | 79 +++++++++++++++++----- hosts/vulpecula/hardware-configuration.nix | 32 +++++---- hosts/yaseen/configuration.nix | 45 ------------ 3 files changed, 81 insertions(+), 75 deletions(-) diff --git a/hosts/vulpecula/configuration.nix b/hosts/vulpecula/configuration.nix index d391515..787d2bb 100644 --- a/hosts/vulpecula/configuration.nix +++ b/hosts/vulpecula/configuration.nix @@ -1,10 +1,14 @@ -{ config, lib, inputs, ... }: let +{ + config, + lib, + inputs, + ... +}: let sshKeys = import ../../crypto/ssh-keys.nix; in { imports = [ ./hardware-configuration.nix ../../common/base.nix - ]; networking = { @@ -12,13 +16,9 @@ in { firewall = { allowedTCPPorts = [ - # 8080 # ? 80 443 - 22 - # 8008 # ssb - # 12345 # tildefriends - # 13378 # audiobookshelf + # 22 ]; allowedUDPPorts = [ # 8080 # ? @@ -26,11 +26,9 @@ in { }; }; + # Disable systemd-boot, use grub instead boot = { loader.systemd-boot.enable = lib.mkForce false; - - # efi.canTouchEfiVariables = true; - initrd = { enable = lib.mkForce true; systemd.enable = lib.mkForce false; @@ -39,7 +37,7 @@ in { boot.loader.grub.device = "/dev/sda"; - users.users.tasia = { + users.users.tasia = { isNormalUser = true; description = "Tasia"; extraGroups = ["networkmanager" "wheel" "dialout"]; @@ -66,13 +64,11 @@ in { virtualHosts."git.vulpecula.zone" = { addSSL = true; enableACME = true; - locations."/".proxyPass = "http://localhost:62101"; - # ${toString config.services.forgejo.settings.server.HTTP_PORT} + locations."/".proxyPass = "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}"; }; - - }; + # change when ppl can make their own website security.acme = { acceptTerms = true; defaults.email = "tasiaiso@proton.me"; @@ -110,11 +106,62 @@ in { # mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path; }; + # services.gitea-actions-runner = { + # package = pkgs.forgejo-actions-runner; + # instances.default = { + # enable = true; + # name = "monolith"; + # url = "https://git.vulpecula.zone"; + # # Obtaining the path to the runner token file may differ + # tokenFile = config.age.secrets.forgejo-runner-token.path; + # labels = [ + # "ubuntu-latest:docker://node:16-bullseye" + # "ubuntu-22.04:docker://node:16-bullseye" + # "ubuntu-20.04:docker://node:16-bullseye" + # "ubuntu-18.04:docker://node:16-buster" + # ## optionally provide native execution on the host: + # # "native:host" + # ]; + # }; + # }; + + services.grafana = { + enable = false; + settings.server = { + domain = "grafana.vulpecula.zone"; + http_port = 62102; + http_addr = "0.0.0.0"; + }; + }; + + services.prometheus = { + enable = false; + port = 62103; + retentionTime = "60d"; + + exporters = { + node = { + enable = false; + enabledCollectors = ["systemd"]; + port = 62104; + }; + }; + + scrapeConfigs = [ + { + job_name = "vulpecula"; + static_configs = [ + { + targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"]; + } + ]; + } + ]; + }; boot.tmp.cleanOnBoot = true; zramSwap.enable = true; networking.domain = ""; - services.openssh.enable = true; # users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLyDLtqUhEQwIsPx0XgQ9OJb2+XxL+2ra4goNJEgwf0 tasia@yaseen'' ]; system.stateVersion = "24.05"; } diff --git a/hosts/vulpecula/hardware-configuration.nix b/hosts/vulpecula/hardware-configuration.nix index 488f302..d2b4c1c 100644 --- a/hosts/vulpecula/hardware-configuration.nix +++ b/hosts/vulpecula/hardware-configuration.nix @@ -1,24 +1,28 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; - fileSystems."/" = - { device = "/dev/disk/by-uuid/b908efa0-fa9b-498e-9553-7346d9169fee"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/b908efa0-fa9b-498e-9553-7346d9169fee"; + fsType = "ext4"; + }; - swapDevices = [ ]; + swapDevices = []; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/hosts/yaseen/configuration.nix b/hosts/yaseen/configuration.nix index b7a6365..60eb1ce 100644 --- a/hosts/yaseen/configuration.nix +++ b/hosts/yaseen/configuration.nix @@ -164,53 +164,8 @@ in { # defaults.email = "tasiaiso@proton.me"; # }; - - # services.grafana = { - # enable = false; - # settings.server = { - # domain = "grafana.enry"; - # http_port = 2342; - # http_addr = "0.0.0.0"; - # }; - # }; - - # services.prometheus = { - # enable = false; - # port = 9000; - # retentionTime = "60d"; - - # exporters = { - # node = { - # enable = false; - # enabledCollectors = ["systemd"]; - # port = 9002; - # }; - # }; - - # scrapeConfigs = [ - # { - # job_name = "enry"; - # static_configs = [ - # { - # targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"]; - # } - # ]; - # } - - # { - # job_name = "monitor"; - # static_configs = [ - # { - # targets = ["127.0.0.1:8080"]; - # } - # ]; - # } - # ]; - # }; - services.printing.drivers = [pkgs.cnijfilter2]; - services.uptime-kuma.enable = true; nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16"